Steps to enable GPG signing of git commits.

gpg_git_signing.md

If anyone is interested in setting up their system to automatically (or manually) sign their git commits with their GPG key, here are the steps:

1. Generate and add your key to GitHub
2. $ git config --global commit.gpgsign true ([OPTIONAL] every commit will now be signed)
3. $ git config --global user.signingkey ABCDEF01 (where ABCDEF01 is the fingerprint of the key to use)
4. $ git config --global alias.logs "log --show-signature" (now available as $ git logs)
5. $ git config --global alias.cis "commit -S" (optional if global signing is false)
6. $ echo "Some content" >> example.txt
7. $ git add example.txt
8. $ git cis -m "This commit is signed by a GPG key." (regular commit will work if global signing is enabled)
9. $ git logs

IntelliJ IDEA Integration

If you perform git commits through IntelliJ and want them to be signed, add the following line to your ~/.gnupg/gpg.conf file:

# This option tells gpg not to expect a TTY interface and allows IntelliJ to sign commits
no-tty

Atlassian SourceTree Integration

If you perform git commits through SourceTree and want them to be signed, open Preferences > General and ensure that the GPG Program field has the value set to the directory containing the gpg2 executable, for example /usr/local/MacGPG2/bin. Even if your gpg executable is version 2, the gpg2 executable must be present.

Then click the Settings icon at the top right of a repository window, click the Security icon, and check "Enable GPG key signing for commits" and select the desired key. If you have a default-key setting in ~/.gnupg/gpg.conf, this should be correctly populated already.

Resources

• https://youtrack.jetbrains.com/issue/IDEA-110261#comment=27-1388832
• https://github.com/blog/2144-gpg-signature-verification
• https://help.github.com/articles/signing-commits-using-gpg/
• https://unix.stackexchange.com/questions/48862/how-can-i-create-an-alias-for-a-git-action-command-which-includes-spaces
• https://mikegerwitz.com/papers/git-horror-story
• https://blog.erincall.com/p/signing-your-git-commits-with-gpg

Dont forget to restart the gpg-agent so the changes to ~/.gnupg/gpg.conf will take affect. The agent will start next time it is needed.
gpgconf --kill gpg-agent

Wondering if you have an example of commit via API to avoid the
"verification": {
"verified": false,
"reason": "unsigned",
"signature": null,
"payload": null
}
}

example via curl (-S does not seems to work)
git config --global commit.gpgsign true
git config --global user.signingkey ABCDEF01
curl --silent -u (user):(secret) -S -X PUT "https://api.github.com/repos//GPG_commit_test/contents/P3.txt" -d '{ "branch":"master","message":"1234 -Test","author": {"name": "(github id)","email": "email@whatever.com"},"content":"VGVzdCBUZXN0" }'